Security and privacy issues over cloud computing are not very different from those surrounding any sort of IT outsourcing and need to be treated that way, security managers and analysts say in the wake of breaches involving Twitter and Google Apps.
The incident has resurfaced many familiar concerns relating to cloud computing and is raising questions over a multimillion-dollar plan by the city of Los Angeles to move its e-mail and office applications to the cloud.
While many of the concerns are valid, it's important to retain perspective around them, security experts said.
“These concerns are very similar to the concerns and risks associated with traditional data storage outsourcing, offshoring, or other forms of remote data access,” said Christopher Pierson, chief privacy officer with a large financial institution, which he asked not be identified. “Within the cloud, the standard issues of user access, authentication, encryption, location of storage all exist and need to be thought through on the front end,” he said.
The advice comes in the wake of the July 15 disclosure by Twitter that a hacker had accessed a substantial amount of company data stored on Google Apps by first hijacking a Twitter employee's official e-mail account. Though the breach had more to do with weak passwords and password resets, the incident has nevertheless drawn fresh attention to broader security and privacy concerns related to cloud computing.
Some groups in Los Angeles are pointing to the Twitter/Google Apps incident as a reason why the city needs to reconsider a recently proposed plan to move e-mail and office applications to Google Apps.
Under the $7.25 million plan, the city will transition its Novell GroupWise e-mail and Microsoft Office applications to Google's e-mail and office productivity products starting this December. The migration is expected to save the city more than $6 million in software license costs over the next five years and an additional $7.5 million from reallocating resources dedicated to GroupWise to other tasks.
But some, such as the Consumer Watchdog group said the Twitter incident raises the question of whether “Google's cloud as offered provides adequate safeguards.” Moving medical and health-related records, and information on domestic and sexual assault and substance abuse to Google raises concerns over how such sensitive data will be protected, the group wrote in a letter addressed to City Council members.
“Before jumping into the Google deal, City Council needs to insist on appropriate guarantees — for instance substantial financial penalties in the event of any security breach,” John Simpson, a consumer advocate for the group wrote.
In a similar letter sent a few days after the Twitter breach, the World Privacy Forum urged the city to move forward “slowly and cautiously' because of continuing uncertainty over the legal status of sensitive private information stored in the cloud. The letter noted that different types of information that the city was planning on migrating to Google had different security requirements. For instance, while health data is covered by the Health Insurance Portability and Accountability Act (HIPAA), classified information, tax records and law enforcement data are subject to different requirements.
“It is not clear that the security provided under the contract can meet all existing security obligations” World Privacy Forum executive director Pam Dixon wrote in the letter.
Such issues should not be underestimated and need to be part of any risk assessment involving the cloud computing environment, IT managers said.
“The cloud means that you are generally getting your IT services from the public Internet as opposed to the more private networks you are used to,” said Matt Kesner, chief technology officer at Fenwick & West LLP, a San Francisco-based law firm.
Companies need to consider how this fact affects the security and privacy of their data, Kesner said. “It's one thing if you could be sabotaged by five people or even 500 people working with you in your company. It's another thing if the people stealing your information could be any other person on the planet,” he said.
Other issues that companies need to consider are the co-mingling of data, which can happen when cloud providers host multiple customers on the same systems and data centers, and the fact that a company's data could be stored anywhere, Pierson said. Issues relating to data destruction, intellectual property protection, and privilege – such as doctor/patient privilege issues – are matters that need to be considered when migrating sensitive data to the cloud, Pierson added.
“The true security of the cloud remains uncertain at best,” said David Rice, author of Geekonomics and a consultant with the Monterey Group.
“This uncertainty allows wild variations in claims both for and against security concerns in the cloud,” Rice said. At a high level, however, cloud computing environments present “about as juicy a target” as it gets for hackers because they represent a concentration of data from multiple sources.
“There appears to be a strong tendency for blind faith among potential cloud customers that a service provider will somehow be better at securing data than the client is,” Rice said. “This is a hope based on unproven assertions about security by cloud vendors and driven by client frustrations about managing their own IT environments,” he added.
Security concerns relating to the cloud are not overblown, said Jim Kirby, director of information infrastructure at Dataware Services LLC in Sioux Falls, S.D. However, the concerns are the same as those involving any outsourcing project and touch upon data confidentiality, protection, integrity and availability.
“For an individual business deciding to go cloud or not, it's really a risk assessment issue around the four points,” he said. For large businesses, it's hard to see how the benefits of cloud computing might outweigh the risks, he said, but “if I were a startup or small business where data access wasn't a critical component of operations, the ability to deliver and scale rapidly would almost certainly outweigh the risk of using a cloud,” Kirby said.